Re: You're on SecurityFocus.com for the cleartext passwords.

> Okay, my understanding was that the protocol would work as follows:
> 
> - client requests login
> - server sends stored salt c1, and random salt c2.
> - client performs hash_c2(hash_c1(password)) and sends result to server.
> - server performs hash_c2(stored_pg_shadow) and compares with client
> submission.
> - if there's a match, there's successful login.
> 
> This protocol will truly create a challenge-response where the communication
> is different at each login, and where sniffing one
> hash_c2(hash_c1(password)) doesn't give you any way to log in with a
> different c2.

Yes.

--  Bruce Momjian                        |  http://www.op.net/~candle pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026